Privacy

INFORMATION ON PERSONAL DATA PROTECTION

(concerning personal data processed by the Data Controller and personal data collected from a website) pursuant to article 13 of Italian Legislative Decree 196/2003 (Personal Data Protection Code) and the Recommendation adopted on the 5/17/2001 by the Article 29 Working Party established under Directive 95/46/EC.

§ 1. Introduction

Dear Mr./Mrs./Ms./Sirs,the browsing of this Website (www.nalevi.it and www.nalevi.com for the international version), the purchase of products from this Website, any requests for information or assistance sent to us and any communications made within the scope of ordinary business activities and commercial relationships imply that our company NALEVI S.r.l. can collect personal data on its customers and users. In compliance with Legislative Decree 196/2003, we deem it important to inform our users of the ways and purposes for which said data are collected.Our company, De Marchi Gianotti di Gianotti Paolo & c. S.n.C., which is the Data Controller and the owner of the www.nalevi.it (and www.nalevi.com for the international version) website informs you of the following, and invites you to read this document carefully BEFORE providing any data.This page contains a description of how we process personal data concerning users that visit the Website or have access to the services offered on it.

enacts the provisions set forth by Recommendation 2/2001 of the Group established under article 29 of Directive 95/46/EC, adopted on May 17, 2001 (see http://www.garanteprivacy.it/documents/10160/10704/434757.) The “Data Processor” under article 2, letter (d), of Directive 95/46/EC corresponds to the “Data Controller” under article 4, 1st paragraph, letter (f), of the Code; similarly, the “person in charge of the data processing” under article 2, letter (e), of Directive 95/46/EC corresponds to the “Data Processor” under article 4, 1st paragraph, letter (g), of the Code], hereinafter the “Recommendation”, for the purpose of identifying the minimum requirements to be met with respect to online personal data collection and, more specifically, to the modality, moment and kind of information that the Data Controller must provide to users when they have access to the Website, regardless of the purpose of said access.

This information is provided exclusively for the nalevi.it and nalevi.com Website.

§ 3. Data Processors and Persons in Charge of Data Processing

(art. 13, 1st paragraph, letters (d) and (f) of the Code and point 9 of the Recommendation)Internal Data Processors. In connection with the processing of personal data carried out within the scope of our business and for the purposes indicated below (see § 6, 7 and 8), including any reply to requests made by the data subject under article 10 of the Code, the Internal Data Processor is Mr. Paolo Gianotti, who may be contacted at the Data Controller's address (as per § 2) both using hard-copy and digital communications (e.g. by writing to info@nalevi.it).External Data Processor. The Data Controller De Marchi Gianotti di Gianotti Paolo & c. S.n.C. has appointed some external Data Processors, which perform the data processing as instructed by the former, for the sole purpose of better achieving the objectives set out below (see § 4, 5, 6, 7 and 8). The Data Controller can have recourse to other professionals/consulting firms, on condition that they are previously appointed Data Processors / persons in charge of data processing.External Data Processors will also include System Administrators, if any.An updated list of the Data Processors is provided either orally or in writing to the data subject upon request of the same made over the telephone, by letter or e-mail to the Data Controller at the addresses or number indicated above (see § 2).Persons in charge of data processing. The persons in charge of data processing are our employees/staff members performing secretarial, administrative and accounting tasks, including any internal contractors.

§ 4. Scope of Data Disclosure

(article 13, 1st paragraph, letter (d) of the Code and point 9 of the Recommendation)The data processing may require the disclosure of information to specific entities performing the function of Data Processor, Person in charge of data processing or autonomous Data Controller. Said entities may either be internal to the company, such as employees or internal contractors, or external professionals, organizations and companies.Personal data may also be disclosed to third parties by merely showing, delivering or filing documents or other written instruments [Consultants and Professionals in general, collaborators, Consulting Firms and Companies (providing administrative, technical, fiscal, IT or engineering services, etc.) public bodies and institutions, the Tax Authority, Public Authorities, etc.], for the sole purposes set forth at § 6 – 7 and exclusively to the extent strictly required.Communication of personal data is carried out, after the Data Processor has been appointed – save in case of exceptions, e.g. in the event of Public Authorities – for the purpose of pursuing, even through third parties, the objectives set forth at § 6 – 7; the area in which data are disclosed is the territory of Italy or the EU. Data are not disseminated [Pursuant to article 4, 1st paragraph, letter (m) of the Code; ‘dissemination’ shall mean disclosing personal data to unidentified entities, in any form whatsoever, including by making available or interrogating such data.]

§ 5. Place of Data Processing

Data are processed at the Data Controller's head offices (see § 2) of at the head offices of external Data Processors appointed (see § 3).The server hosting the www.nalevi.it and www.nalevi.com website, and consequently also the database where the information provided by the data subject through this Website are stored, is located in Milan, Italy, at the server farm named Level IP. Level IP is a trademark of Enter S.r.l., a company with registered office in Italy at the following address: via Stefanardo da Vimercate 28, 20128 Milan, Italy – VAT No. 03704230964. The Website hosting system is remotely managed by Uovostudio di Monica Farronato & C S.a.s., with registered office at the following address: Favria (Turin), Italy, piazza Martiri della Libertà 28.

§ 6. Personal Data undergoing Processing

6.1 Browsing Data

In case of simple access to the www.nalevi.it (or www.nalevi.com for the international version) Website, without registering or logging in as registered users, no personal data is collected. Nevertheless, the IT systems and software procedures adopted for the functioning of the Website acquire, during their ordinary activity, some personal data whose transmission is implicitly related to the use of internet communication protocols.Such information is not collected for the purpose of being associated with identified data subjects, however, in consideration of their nature, if processed and associated with data in possession of third parties (such processing and association is not carried out by the Data Controller) it could enable the identification of the users concerned.This category of data includes IP addresses or the domain names of computers used by internet users connecting to the Website, URI (Uniform Resource Identifier) addresses of the required resources, the time of the request, the method used to submit the request to the server, the size of the file received in reply, the code number identifying the status of the reply given by the server (delivered, error, etc.) and other parameters concerning the operating system and the user's IT environment.Said data are used for the exclusive purpose of obtaining anonymous statistical information about the use of the Website and of checking its proper functioning, and are deleted after the processing. Data could be used to evaluate any liability in case of possible computer crimes that may affect the Website. After a predefined period of time, which in any case is not longer than a month, the data are deleted.

6.2 Optional Data Provided by the User

6.2.1 Registration and Online PurchasesIn order to make purchases online, users are required to register with the Website. Therefore, if they start the purchase procedure without been registered, after selecting one or more products by adding them to their trolley, and clicking on the “next” button to complete the procedure, they will be requested to register and provide their billing details. The data required are the following: e-mail, password, country, customer type [natural person (in which case their taxpayer code is also required) or company (in which case its VAT number is also required)], name, family name, address, ZIP code, city, area, phone number. The above mentioned data are necessary to complete the order and execute the contract, as well as to perform it, deliver the goods, check order status, issue an invoice, fulfill the ordinary management tasks and fiscal duties of the company (§ 7 letter (b)).The customer, after adding the products to the trolley and completing the purchasing procedure, will receive several e-mails containing order status reports. Notably, the order will be followed by a confirmation e-mail containing a detailed description of the purchased goods. A second e-mail will inform the customer that the goods have been shipped and will contain the relevant shipping agent track code. Finally, a last e-mail will contain a description of the order and an invoice in pdf format. With the registration procedure, users create a personal account through which they can have access to all information concerning any placed and pending orders, and also manage and update their personal data at any time. Moreover, through their accounts, users can express comments and assess purchased products and service provided. With regard to the latter, comments can be published by De Marchi Gianotti di Gianotti Paolo & c. S.n.C. on the Website at its sole discretion, by including just the user's first name (Christian name) only, without any further identification data.If users have already registered with the Website, they will be able to complete the purchase procedure by merely entering their e-mail and password.To enable the authentication procedure through login ID and password, the Data Controller uses some cookies. For said purposes, see § 6.4.

6.2.2 E-mail AddressExcept in case the user expressly declares to oppose, the Data Controller can use the customer's e-mail address provided during the purchase procedure to send advertisements concerning products similar to those purchased (pursuant to article 130, 4th paragraph, of Legislative Decree 196/2003.) The user can oppose to the use of his or her e-mail address for the delivery of such messages at any time by clicking on the specific link contained in all promotional e-mails or by contacting the Data Controller at the addresses indicated at § 2.

6.2.3 Payments by Credit Card<If the user decides to pay by Credit Card, the information required in order to carry out the transaction (credit card number, expiry date, holder’s name and safety code) are encrypted inside Paypal gateaway software, which processes credit card data directly: in this way, the Data Controller is not involved in the transaction, and consequently cannot collect, provide or process information concerning the use of the Credit Card.

6.3 Sensitive or Judicial Data

The Data Controller does not record or collect judicial or sensitive data pursuant to article 4, 1st paragraph, letters (d) and (e) of Legislative Decree 196/2003.

6.4 Cookies

A cookie is a short text file incorporated by a website into the user's computer hard disk. Cookies make it possible to create a link between the user's computer, the website browsing and the profile created by the user (if any): they are not intrinsically related to a specific user, but could be connected with personal information (a connection not made by the Data Controller.)No personal data of the users is collected by the Website in this case. The Website does not use cookies for personal data transmission, or any user tracking systems. The cookies used by De Marchi Gianotti di Gianotti Paolo & c. S.n.C. are indicated in the relevant section, where their functioning and purpose are detailed.The cookies used by the Data Controller De Marchi Gianotti di Gianotti Paolo & c. S.n.C. are temporary: when users get connected to the Website and enter their user name and password, cookies make it possible to recognize them, allowing them to have access to the service in accordance with the personal profile created by the users themselves.The use of the so-called session cookies is strictly limited to the session identifiers transmission (consisting in random server-generated numbers) necessary to enable the exploration and efficiency of the Website, thus making it possible to make a purchase. The so-called cookies are automatically deleted by the system. To learn more about each single cookie modality and duration time, see the relevant section.The so-called session cookies used by this Website do not use other information techniques which are potentially prejudicial to the user's privacy, and do not enable the acquisition of personal data that may allow the user's identification.Some cookies enable the Data Controller to manage conversion, tracking and management data relating to the operativity of the trolley sessions of the purchase on the Website.The Data Controller also uses cookies for statistical purposes related to the use of services in anonymous manner.Users may disable the cookies at any time by selecting the relevant option in their browser setup.In the event that users decide not to accept cookies, they can visit the Website anyway, but they might not be able to benefit from the services offered in full or in part for mere technical reasons.For further information on how we manage cookies and how to disable them, see the relevant section.

6.5 Chat Tools and Synchronous Communication

The www.nalevi.it (and www.nalevi.com for the international version) website offers the opportunity to communicate with the company via Skype or through a software developed by Provide Support (http://www.providesupport.com/) of New York, USA, from which Nalevi has bought a user license. In this way, users can keep in touch with the staff of De Marchi Gianotti di Gianotti Paolo & c. S.n.C. by entering their name, family name and e-mail address.

§ 7. Purpose of Personal Data Processing

(article 13, 1st paragraph, letter (a) of the Code, and point 6 of the Recommendation)The data processing is carried out by the Data Controller, De Marchi Gianotti di Gianotti Paolo & c. S.n.C., for the following purposes: (a) replying to users' requests, even if they have not registered or made a purchase yet (assistance and pre-contract information services); (b) enabling users to register with www.nalevi.it (and www.nalevi.com for the international version)and entering into an online purchase agreement, processing received orders and providing post-sales assistance; (c) fulfilling obligations set forth by the applicable laws (invoicing, bookkeeping and retention of accounting records, tax requirements in general, bank details, etc.) and performing duties and requirements related to the company management (i.e. liaising with the Chamber of Commerce, Tax Authorities, public authorities, banks, etc.) or in connection with inspection, assessment, pre-trial and judicial procedures; (d) for so-called marketing purposes, i.e. the shipment of promotional materials by De Marchi Gianotti di Gianotti Paolo & c. S.n.C. (including the “newsletter”) in connection with either its own products or products of third parties, for activities related to the measurement of customer satisfaction, direct sale or commercial communications, by e-mail or mail, and/or over the telephone.

§ 8. Data Processing Methods

(article 13, 1st paragraph, letter (a) of Legislative Decree 196/2003)The processing is carried out manually or using IT and electronic tools, by adopting methods that ensure confidentiality and safety (also in terms of the integrity and availability) of data, using both digital means and hard-copy documents. Said tools, means and documents, which are normally kept in the at the Data Controller's offices, are intended for the storage and management of data for purposes strictly related and functional to the objectives under § 6-7.Notably: (a) data processing operations are carried out at the Data Controller's offices, or at the offices of the appointed External Data Processor; (c) collected data form both a digital database and a hard-copy archive for billing purposes, the drafting of quotations, notes, accounting records, the processing of orders, etc.; (d) IT tools consist of computers and notebooks kept at the Data Controller's offices; (e) the data provided by customers through this Website are recorded online on an external server (server farm), where they are at the customer's complete disposal, and can be accessed through a user name and password that only the customer knows. Personal data are stored in the Data Controller's offices, in a dedicated room, or at the External Data Controller's offices, unless otherwise set forth by law, for the period of time required by the legislation in force or necessary to enable the Data Controller or an External Data Processor to perform the data processing under § 6 - 7, with adoption of all the protections measures required by law (pursuant to articles 31, 33, 34 and 35 of Legislative Decree 196/03 and to the Technical Requirements – Annex B).

(article 13, 1st paragraph, letters (b) and (c) of Legislative Decree 196/2003 and point 7 of the Recommendation)Providing your personal data, even though not mandatory (except for those indicated at § 7, letter (c)), is essential for the realization of the service requested and/or the fulfillment of the above-mentioned obligations/requirements, and is indispensable for the execution and performance of the contract under § 6 - 7: in case of refusal, your data cannot be processed, and therefore it will be impossible to establish/perform/continue any contractual relationship. Most notably, providing your data is indispensable for the purpose of registering with the Website and the processing of orders: consequently, in case of refusal, the registration procedure cannot be completed, and the user will not be able to receive the services offered by the Data Controller (see purposes under §7, letters (a) and (b)).Your consent to the processing of your personal data for the marketing purposes detailed at §7, letter (d) is optional, and in case of refusal to consent to the processing for such purposes you will be able to register and make purchases without any consequences, except only for the possibility of receiving promotional material from De Marchi Gianotti di Gianotti Paolo & c. S.n.C. (including the “newsletter”) concerning its own products or products of third parties, in connection with activities related to the measurement of the level of customer satisfaction by e-mail, mail or on the telephone.In compliance with the Data Protection Authority General Measures dated July 4, 2013, the user is hereby informed of the following:

in connection with data processing for marketing purposes as per §7, letter (d), users may give a single consent, which in any case applies to various forms of processing (the so-called automated modalities, such as e-mail, and traditional modalities, such as mail and/or operator phone calls);

consent given for sending commercial and promotional messages with the so-called automated modalities (such as e-mail), said consent will be extended also to the so-called traditional modalities (such as mail and/or operator phone calls);

the users' right to oppose to the processing of their personal data for marketing purposes, which can be exercised at any time, as per § 12 “Data Subject's Rights” below, by way of automated modalities (such as by clicking on the specific link contained at the bottom of every e-mail message) also applies to traditional modalities. Users may exercise said right also partially, pursuant to article 7, 4th paragraph, letter (b) of Legislative Decree 196/2003, by opposing only, for example, to the delivery of promotional messages by way of automated systems or, alternatively, traditional systems.

§ 10 Third Parties' Data

If the user provides personal data concerning third parties, the Data Controller assumes, upon data provision, that the third parties concerned have been previously informed of the contents of this informational document, and that they have freely given their previous consent to the processing for the purposes for which such data are provided. Otherwise, data concerning third parties cannot be provided.Users cannot provide data concerning third parties unlawfully, instead of their own, as such behavior may constitute a crime under article 494 (personation) of the Italian Criminal Code.

§ 11. Response to Data Subjects

(article 10 of Legislative Decree 196/2003 and points 8 and 11 of the Recommendation)The data subjects may exercise their rights and request that their data be amended, updated or deleted, as well as exercise the rights set forth by Legislative Decree 196/2003 by contacting the Data Controller or the Internal Data Processor (see § 2) either electronically or through hard-copy communications, at the addresses specified above. Response to data subjects will be given promptly, in compliance with the internal procedures adopted by the Data Controller.Internal Data Processors may be asked question concerning personal data protection (point 11 of the Recommendation).

§ 12. Data Subject's Rights

Art. 7(Right to Access Personal Data and Other Rights)1. A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.

2. A data subject shall have the right to be informeda) of the source of the personal data;b) of the purposes and methods of the processing;c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2);e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.

3. A data subject shall have the right to obtaina) updating, rectification or, where interested therein, integration of the data;b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.

4. A data subject shall have the right to object, in whole or in part,a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.

Rights are exercised in accordance with the methods specified at articles 8 and 9 of Legislative Decree 196/2003. The text of said Decree is available at www.garanteprivacy.it.

§ 13. Measures Adopted to Protect the Website's Authenticity, and the Comprehensiveness and Confidentiality of Personal Data Provided through the Website

(point 13 of the Recommendation)Each page of this Website on which the user is requested to provide personal data of any kind is protected as a private area accessible through an originally encrypted password which cannot be intercepted or decoded by third parties.